I'm a professional software developer with a high interest in web application security. I'd say that I probably have a better understanding of the security of web applications than the average developer. My problem is, that my knowledge is heavily focused on the theoretical part of web security - meaning, I've read lots of books, I follow blogs and mailing lists, but my practical experience is limited.

I know the root cause to vulnerabilities, I know how they work and how to stop them. What I'd like to do, is to take my knowledge to the next step - I want that practical experience. I know that I'll probably end up doing security related stuff at some point in my career, but not just yet - at least not full time. Meanwhile I'd like to build up my knowledge of web application security and get more experience, especially in fields such as penetration testing.

My question to you, my dear security experts, what advice do you have for me to get that practical experience I so desire? What resources could you recommend for learning about the different tools and techniques used in penetration testing?

One option could be, to install a vulnerable web application locally (I know there is at least one on google code, can't remember its name), and then use guides such as OWASP's Testing Guide to try out the different techniques. However, I'm probably looking for a more guided way of learning, meaning, I want to know in which order I should do stuff, make sure I'm doing stuff in the right way and in the right order - baby steps, so to say.

5 Answers
5

This is great that you are doing so much learning on your own. You are on the right track. Your enthusiasm to learn on your own will put you a step above a lot of your competition. Kudos.

My main advice would be: don't worry too much about planning out a path through all the material you want to learn. You don't need a carefully thought-out plan. Instead, get your hands dirty, play around, don't be afraid to explore. When you see something that looks cool, follow up on it opportunistically. At first you might be overwhelmed but in the longer run I think you'll find it a valuable experience.

I think one good experience is to engage in a security evaluation of a software system. This would be a fun experience for you. You could pick an open-source web application or web programming framework and do a security evaluation of it: do an architectural risk assessment (what Microsoft calls "threat modeling", with STRIDE and the like), read the code and do security code review, try out some static analysis tools. Then, write up your results and post a blog entry with your evaluation. Do this a few times and I think the experience will be extremely helpful for you.

Another very good experience for you would be to build a non-trivial web application or two. I like web2py as a web programming framework for its ease of learning curve, but alternatively picking something that's more popular (e.g., Ruby on Rails, PHP or one of its frameworks) might be good experience to see what the issues are with common frameworks. Write a web application, with some client-side Javascript code. Play around learning how to use jquery or the like. Maybe experiment with node.js. I think this will be a fantastic way to get exposure to some of the challenges and mindset that web developers are likely to face.

Depending upon your personality, you might find it fun to create a blog and write down fun things you have learned, as you learn them. For many people, the act of writing something out solidifies it in your brain and forces you to understand it better.

You mentioned practicing hacking a web application. Learning how to hack a web application is fun, and it is worthwhile up to a certain point. It's good to have some hands-on experience hacking a web application, to help you think about the risks and to make the concepts concrete. However, I wouldn't make it the primary focus of your learning. Web penetration testing is a lower-end activity these days, with less promising career opportunities, so I wouldn't advise trying to focus your energy on learning to be a web pentester. That's not how I'd advise you to position yourself, if you have the choice (and it sounds like you do).

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).

How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

I can identify with your situation :-)
I've been buzzing around the infosec community for a while now, basically trying to get going with the things you want to do as well. These are some of the pointers I've picked up on how to get your hands dirty.

eLearnSecurity
For me personally, I've decided to go ahead with the course at eLearnSecurity.

It's gaining a lot of traction in the security community for being very practically minded. They also have a setup which they call 'The Colosseum', where you have a playground of vulnerable web apps at your disposal.

This isn't one of those 'certifications for the sake of HR' ones. It's properly useful.

If your employer/organization periodically engages an outside firm to perform vulnerability testing ask/beg/struggle/fight to be involved withthat perhaps as the web/app dev point person. You can make a contact with someone doing the hands-on work (ask them how they broke into the game), you might be able to guide your employer by tapping into your theoretical knpwledge. Reviewing the written proposal of work submitted by the outside firm is useful as well as you might be able to make constructive suggestions about what they intend.
–
jl01Dec 20 '11 at 16:53

@jl01 - you could post this as a question, rather than a comment. Then you will be able to add formatting etc.
–
Rory Alsop♦Dec 20 '11 at 22:18

I have to respectfully disagree with D.W. regarding the attractiveness of the web application security as a field and career (but I'm biased here). I think it is a very exciting, dynamic and growing area where a growing number of players have big stakes. I would say if you have a high interest in the web application security, go all in for that - if this excites you, you will be able to build a great career and have interesting and challenging work. Above all, it is a very dynamic field so you should not get bored for the next 20-30 years! :)

get involved with the [web application] security community (or communities). Coming to this site is the right first step :) For web application security - if there is an OWASP chapter near you (https://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters_by_Geographic_Region), get in touch with them and come to their gatherings; if not, consider starting one!

go to a conference such as OWASP, BlackHat or DefCon if you can - or browse through their website, posted slides and webcasts

pick up your "role models" - surf through security topics, postings and pick up a few blogs and Twitter accounts that you would follow and which would give you information and inspiration.

learn a web application scanner - for example, W3AF http://w3af.sourceforge.net/ You can also get involved with the project and help to make it better (or more suitable for your purposes or interests)

finally, more books - there's never enough of them! :) Make sure to read through "The Web Application Hacker's Handbook" (aka WAHH2) and "The Tangled Web"; consider going through the "Web Application Obfuscation" if its material interests you. To make the readings more practically oriented and engaging, try to make up things illustrating what you read about or doing some variations on the exploits or code samples. For example, shell out for a couple of hours of http://mdsec.net/labs/ labs (companion of WAHH2) and then try to code similar demos for other topics.

If your employer/organization periodically engages an outside firm to perform vulnerability testing ask/beg/struggle/fight to be involved with that perhaps as the web/app dev point person.

This will enable you to make contact with someone doing the hands-on work (ask them how they broke into the game).

You might be able to guide your employer by tapping into your theoretical knowledge. While you might not have actually used the testing tools employed, an understanding of what those tools are doing at a basic level and what those tools are intended to disclose will help you.

Reviewing the written proposal of work submitted by the outside firm is useful as well as you might be able to make constructive suggestions about what they intend. I have been able to review such documents with my current employer and point out "boiler-plate" versus what is truly meaningful. And I was able to see the quotes for such work to be performed. Wow!

Finally, the written report of the tester's results may look like gloom and doom to some, but in can be an opportunity for you to volunteer to be involved in any subsequent risk assessments or mitigation efforts.

Speaking of risk assessments, D.W.'s suggestion of performing one against a web-app is a good one. You can download the STRIDE template/tool from MS (requires Visio the last time I used it) and use that to create your finished product. You could also employ the MS DREAD scale to measure potential risk. The NIST 800-30 document that is the federal risk assessment framework is another good source for process steps and a reporting framework. Models such as STRIDE, DREAD, the NIST publications all become solid points of "best practices" citations in any write-up you present.

Ultimately management will be the consumers of whatever outputs you create. Giving them something that they understand and is useful will give you the kind of exposure needed for subsequent security assignments.